Commit Graph

31 Commits

Author SHA1 Message Date
Hemant Agrawal
0f56ca1aae ipsec: remove redundant replay window size
The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usages.

Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Vladimir Medvedkin
b2ee269267 ipsec: add SAD add/delete/lookup implementation
Replace rte_ipsec_sad_add(), rte_ipsec_sad_del() and
rte_ipsec_sad_lookup() stubs with actual implementation.

It uses three librte_hash tables each of which contains
an entries for a specific SA type (either it is addressed by SPI only
or SPI+DIP or SPI+DIP+SIP)

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-10-23 16:57:06 +02:00
Vladimir Medvedkin
3feb23609c ipsec: add SAD create/destroy implementation
Replace rte_ipsec_sad_create(), rte_ipsec_sad_destroy() and
rte_ipsec_sad_find_existing() API stubs with actual
implementation.

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-10-23 16:57:06 +02:00
Vladimir Medvedkin
401633d9c1 ipsec: add inbound SAD API
According to RFC 4301 IPSec implementation needs an inbound SA database
(SAD).
For each incoming inbound IPSec-protected packet (ESP or AH) it has to
perform a lookup within it's SAD.
Lookup should be performed by:
Security Parameters Index (SPI) + destination IP (DIP) + source IP (SIP)
or SPI + DIP
or SPI only
and an implementation has to return the 'longest' existing match.
This patch extend DPDK IPsec library with inbound security association
database (SAD) API implementation that:
- conforms to the RFC requirements above
- can scale up to millions of entries
- supports fast lookups
- supports incremental updates

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-10-23 16:57:06 +02:00
David Marchand
7dde68cf0e net: add missing rte prefix for ESP tail
This structure has been missed during the big rework.

Fixes: 5ef2546767 ("net: add rte prefix to ESP structure")
Cc: stable@dpdk.org

Signed-off-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-10-08 12:14:31 +02:00
Fan Zhang
cd5b860c18 ipsec: support header construction
Add support for RFC 4301(5.1.2) to update of
Type of service field and Traffic class field
bits inside ipv4/ipv6 packets for outbound cases
and inbound cases which deals with the update of
the DSCP/ENC bits inside each of the fields.

Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-07-05 15:28:14 +02:00
Lukasz Bartosik
8734e669fc ipsec: include high order bytes of ESN in packet length
When esn is used then high-order 32 bits are included in ICV
calculation however are not transmitted. Update packet length
to be consistent with auth data offset and length before crypto
operation. High-order 32 bits of esn will be removed from packet
length in crypto post processing.

Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-07-05 15:28:14 +02:00
Konstantin Ananyev
e95291f019 ipsec: support multi-segment packets
Add support for packets that consist of multiple segments.
Take into account that trailer bytes (padding, ESP tail, ICV)
can spawn across multiple segments.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-07-05 15:28:14 +02:00
Marcin Smoczynski
2c1887fad0 ipsec: fix transport mode for IPv6 with extensions
Reconstructing IPv6 header after encryption or decryption requires
updating 'next header' value in the preceding protocol header, which
is determined by parsing IPv6 header and iteratively looking for
next IPv6 header extension.

It is required that 'l3_len' in the mbuf metadata contains a total
length of the IPv6 header with header extensions up to ESP header.

Fixes: 4d7ea3e145 ("ipsec: implement SA data-path API")
Cc: stable@dpdk.org

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-07-05 15:28:14 +02:00
David Marchand
18218713bf enforce experimental tag at beginning of declarations
Putting a '__attribute__((deprecated))' in the middle of a function
prototype does not result in the expected result with gcc (while clang
is fine with this syntax).

$ cat deprecated.c
void * __attribute__((deprecated)) incorrect() { return 0; }
__attribute__((deprecated)) void *correct(void) { return 0; }
int main(int argc, char *argv[]) { incorrect(); correct(); return 0; }
$ gcc -o deprecated.o -c deprecated.c
deprecated.c: In function ‘main’:
deprecated.c:3:1: warning: ‘correct’ is deprecated (declared at
deprecated.c:2) [-Wdeprecated-declarations]
 int main(int argc, char *argv[]) { incorrect(); correct(); return 0; }
 ^

Move the tag on a separate line and make it the first thing of function
prototypes.
This is not perfect but we will trust reviewers to catch the other not
so easy to detect patterns.

sed -i \
     -e '/^\([^#].*\)\?__rte_experimental */{' \
     -e 's//\1/; s/ *$//; i\' \
     -e __rte_experimental \
     -e '/^$/d}' \
     $(git grep -l __rte_experimental -- '*.h')

Special mention for rte_mbuf_data_addr_default():

There is either a bug or a (not yet understood) issue with gcc.
gcc won't drop this inline when unused and rte_mbuf_data_addr_default()
calls rte_mbuf_buf_addr() which itself is experimental.
This results in a build warning when not accepting experimental apis
from sources just including rte_mbuf.h.

For this specific case, we hide the call to rte_mbuf_buf_addr() under
the ALLOW_EXPERIMENTAL_API flag.

Signed-off-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
2019-06-29 19:04:48 +02:00
David Marchand
cfe3aeb170 remove experimental tags from all symbol definitions
We had some inconsistencies between functions prototypes and actual
definitions.
Let's avoid this by only adding the experimental tag to the prototypes.
Tests with gcc and clang show it is enough.

git grep -l __rte_experimental |grep \.c$ |while read file; do
	sed -i -e '/^__rte_experimental$/d' $file;
	sed -i -e 's/  *__rte_experimental//' $file;
	sed -i -e 's/__rte_experimental  *//' $file;
done

Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
2019-06-29 19:04:43 +02:00
Olivier Matz
a7c528e5d7 net: add rte prefix to IP structure
Add 'rte_' prefix to structures:
- rename struct ipv4_hdr as struct rte_ipv4_hdr.
- rename struct ipv6_hdr as struct rte_ipv6_hdr.

Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-05-24 13:34:46 +02:00
Olivier Matz
5ef2546767 net: add rte prefix to ESP structure
Add 'rte_' prefix to structures:
- rename struct esp_hdr as struct rte_esp_hdr.

Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-05-24 13:34:45 +02:00
Marcin Smoczynski
b4c32d036b ipsec: fix headers install
Invalid statement is used to indicate header files to install.

Fixed the statement and reformatted recipe file.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
2019-05-09 15:21:39 +02:00
John McNamara
8bd5f07c7a doc: fix spelling reported by aspell in comments
Fix spelling errors in the doxygen docs.

Signed-off-by: John McNamara <john.mcnamara@intel.com>
2019-05-03 00:38:14 +02:00
Konstantin Ananyev
3affe1bbcc ipsec: de-duplicate crypto op prepare
For sym_crypto_op prepare move common code into a separate function(s).

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02 16:50:24 +02:00
Konstantin Ananyev
874cbe577b ipsec: reorder packet process for ESP inbound
Change the order of operations for esp inbound post-process:
- read mbuf metadata and esp tail first for all packets in the burst
  first to minimize stalls due to load latency.
- move code that is common for both transport and tunnel modes into
  separate functions to reduce code duplication.
- add extra check for packet consitency

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02 16:50:24 +02:00
Konstantin Ananyev
a41a33c550 ipsec: reorder packet check for ESP inbound
Right now check for packet length and padding is done inside cop_prepare().
It makes sense to have all necessary checks in one place at early stage:
inside pkt_prepare().
That allows to simplify (and later hopefully) optimize cop_prepare() part.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02 16:50:24 +02:00
Konstantin Ananyev
6015e6a133 ipsec: move inbound and outbound code
sa.c becomes too big, so decided to split it into 3 chunks:
 - sa.c - control path related functions (init/fini, etc.)
 - esp_inb.c - ESP inbound packet processing
 - esp_outb.c - ESP outbound packet processing

Plus few changes in internal function names to follow the same
code convention.
No functional changes introduced.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02 16:50:24 +02:00
Konstantin Ananyev
15d5070a8b ipsec: change the way unprocessed mbufs are accounted
As was pointed in one of previous reviews - we can avoid updating
contents of mbuf array for successfully processed packets.
Instead store indexes of failed packets, to move them beyond the good
ones later.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02 16:50:24 +02:00
Konstantin Ananyev
d14e7e7b5b ipsec: change order in filling crypto op
Right now we first fill crypto_sym_op part of crypto_op,
then in a separate cycle we fill crypto op fields.
It makes more sense to fill whole crypto-op in one go instead.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02 16:50:24 +02:00
Konstantin Ananyev
ed2a31871f ipsec: add Tx offload template into SA
Operations to set/update bit-fields often cause compilers
to generate suboptimal code. To avoid such negative effect,
use tx_offload raw value and mask to update l2_len and l3_len
fields within mbufs.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02 16:50:24 +02:00
Fan Zhang
51acc16b51 ipsec: support 3DES-CBC
This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-03-22 15:54:24 +01:00
Fan Zhang
3975d5cb1d ipsec: support AES-CTR
This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-03-22 15:54:24 +01:00
Konstantin Ananyev
423aa5e130 ipsec: fix build with gcc 6
gcc 6.2 and 6.4 fails to compile lib/librte_ipsec/sa.c
with the following errors:
lib/librte_ipsec/sa.c:
 In function inline_outb_tun_pkt_process:
 x86_64-native-linuxapp-gcc/include/rte_memcpy.h:337:2:
 error: array subscript is above array bounds [-Werror=array-bounds]
  rte_mov32((uint8_t *)dst + 1 * 32, (const uint8_t *)src + 1 * 32);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ...

It complains about the following lines of code:
esp_outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t
        ....
        /* update spi, seqn and iv */
        esph = (struct esp_hdr *)(ph + sa->hdr_len);
        iv = (uint64_t *)(esph + 1);
        rte_memcpy(iv, ivp, sa->iv_len);

While I believe it is a false positive,
it is too excessive to use rte_memcpy() here,
as IV length could be only 0/8/16 bytes.
So introduce small helper function to copy IV and use it
instead of rte_memcpy().

Fixes: 4d7ea3e145 ("ipsec: implement SA data-path API")

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-01-15 02:40:40 +01:00
Konstantin Ananyev
b73cec26cd ipsec: fix assert condition
fix invalid RTE_ASSERT condition in rsn_update_finish()

Fixes: c0308cd895 ("ipsec: rework SA replay window/SQN for MT environment")

Reported-by: Ferruh Yigit <ferruh.yigit@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-01-14 14:45:02 +01:00
Konstantin Ananyev
f901d9c826 ipsec: add helpers to group completed crypto-ops
Introduce helper functions to process completed crypto-ops
and group related packets by sessions they belong to.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 16:57:22 +01:00
Konstantin Ananyev
c0308cd895 ipsec: rework SA replay window/SQN for MT environment
With these changes functions:
  - rte_ipsec_pkt_crypto_prepare
  - rte_ipsec_pkt_process
 can be safely used in MT environment, as long as the user can guarantee
 that they obey multiple readers/single writer model for SQN+replay_window
 operations.
 To be more specific:
 for outbound SA there are no restrictions.
 for inbound SA the caller has to guarantee that at any given moment
 only one thread is executing rte_ipsec_pkt_process() for given SA.
 Note that it is caller responsibility to maintain correct order
 of packets to be processed.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 16:57:22 +01:00
Konstantin Ananyev
4d7ea3e145 ipsec: implement SA data-path API
Provide implementation for rte_ipsec_pkt_crypto_prepare() and
rte_ipsec_pkt_process().
Current implementation:
 - supports ESP protocol tunnel mode.
 - supports ESP protocol transport mode.
 - supports ESN and replay window.
 - supports algorithms: AES-CBC, AES-GCM, HMAC-SHA1, NULL.
 - covers all currently defined security session types:
        - RTE_SECURITY_ACTION_TYPE_NONE
        - RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
        - RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
        - RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL

For first two types SQN check/update is done by SW (inside the library).
For last two type it is HW/PMD responsibility.

Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 16:57:22 +01:00
Konstantin Ananyev
1e0ad1e36d ipsec: add SA data-path API
Introduce Security Association (SA-level) data-path API
Operates at SA level, provides functions to:
    - initialize/teardown SA object
    - process inbound/outbound ESP/AH packets associated with the given SA
      (decrypt/encrypt, authenticate, check integrity,
      add/remove ESP/AH related headers and data, etc.).

Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 16:57:22 +01:00
Konstantin Ananyev
9f7b43141c lib: introduce IPsec library
Introduce librte_ipsec library.
The library is supposed to utilize existing DPDK crypto-dev and
security API to provide application with transparent IPsec processing API.
That initial commit provides some base API to manage
IPsec Security Association (SA) object.

Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 16:57:22 +01:00